The Core Elements of a Resilient Cyber Security Posture
ISF Chief Executive, Steve Durbin, featured in Property Casual 360.

The Core Elements of a Resilient Cyber Security Posture

Most organisations rely heavily on technology, making them susceptible to cyber threats and necessitating a resilient cyber security plan. But what defines and comprises an effective cybersecurity strategy? Below are seven core elements that can lay the groundwork for a healthy cyber security posture.

No. 1: Close alignment between cybersecurity priorities and business outcomes

Businesses want to increase revenue and return value to shareholders, customers and employees. It is important to find an alignment between cyber security strategy and business goals without causing conflict or working at cross-purposes with business priorities. A good security strategy will align with corporate direction and is quantifiable in terms of the way it delivers that mission. Everyone in the organisation should be aware of not just the role cyber plays in the overall business strategy but at the individual level that helps to sustain a culture of security.

No. 2: Focus on crown jewels

The cybersecurity domain is intricate and so noisy with vendor promises that security teams can easily become distracted and confused. The starting point must always be about what needs to be achieved foremost to keep the business solvent. These are the organisation's crown jewels — essential, non-negotiable, and most worthy of safeguarding at any cost. When allocating budgets, security leaders must have complete clarity on what they are protecting, because no organisation is in the business of failure.

No. 3: Commitment from top down

Cyber security is often delegated to the IT staff however it is now evident that security risk extends beyond technology and is in truth, a business risk. Business leaders and the C-suite should be compelled to provide ongoing guidance and oversight on cybersecurity matters. That is because security is a collective responsibility: all stakeholders have an obligation to defend the organisation from data leaks and cyber attacks. Leadership must bring employees together under a common cause, set the tone, foster discussion, and shape the culture.

No. 4: Where security is not an afterthought

In many organisations security tends to be considered an afterthought. As a result, it ends up being retrofitted into product designs and processes at the last minute, leaving it vulnerable to exploitation. Early involvement of security priorities in project discussions will result in more secure processes and improved posture. It can also help to align cyber security more closely to business goals.

No. 5: Keep A watchful eye On KPIs

A basic component of any successful cybersecurity strategy is the ability to quantify, monitor, and report on the progress of cybersecurity controls and initiatives and their impact on the organisation's culture and security position. Establishing, tracking, and reporting key performance indicators allow organizations to identify security gaps, empower teams to make more data-driven decisions, and relay crucial information to leadership which in turn, helps persuade the board for additional resources for future security programs.

No. 6: Regular reviews of defenses, policies and regulations

Technology continues to evolve, threat vectors continue to multiply, and cybersecurity compliance laws continue to grow more cumbersome and stringent. Organisations must audit and test their defenses in line with the changing landscape; they must review their security policies and procedures at least every 12 months, keeping close tabs on what regulators and legislators are proposing. For these reasons alone it is advisable to seek third-party expertise to routinely conduct tabletop exercises and a comprehensive review (beyond standard check-box questionnaires) of security policies and procedures — from the board level down to business leaders, to employees and those responsible for security implementation.

No. 7: Attention to resilience, not only defense

While it is necessary to have a sound defense, it does not mean that organisations should overly fixate on threats. They must also conquer this notion of resilience – how quickly can the business respond and recover from an incident? In case networked systems go offline, how does it ensure business continuity? How long before lost data is fully recovered? None of these are easily solvable questions. Organisations should be testing and preparing for these contingencies.

Cyber security strategy is an ongoing journey that requires alignment with business goals, consistent review of vulnerabilities, controls, policies, and regulations. It also requires steady work on resilience and involvement from leadership. Cyber incidents happen unexpectedly, making preparedness preferable to reactionary measures following a crisis.

Steve Durbin is chief executive of the Information Security Forum, an independent association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000.


Visit our Incident response hub for guidance on achieving better cyber resilience


To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics